The most noteworthy digital signage hacks

November 16, 2018

The digital signage industry has a problem with hacking, and, if you think about it, it makes sense. First, the industry is filled with plenty of digital sign DIY solutions and hardware/software combinations that do not have a focus on security. Secondly, by their nature, digital signs display images and videos in prominent locations. After all, that’s the entire point - digital signs are meant to be seen. This provides a tempting opportunity for hackers to take over a digital sign and display whatever image or video content they want to a large audience.

Sometimes, what is meant to be seen can quickly become the obscene. Once the hacker has gained access to the digital sign, they are often in full control – whatever is displayed or not displayed is entirely up to them. In this article, we take a look at some the most notable digital signage hacks in recent news.

The hacks

1. Bristol Airport’s flight information display system

In September 2018, Bristol Airport suffered a targeted hack on its flight information display systems. Hackers temporarily disabled the system and blackmailed airport authorities to put the system online. As Bristol Airport is the ninth largest British airport, this hack of course had great consequence travelers. However, this attack was also significant in that it demonstrated how vital public transportation infrastructure can be impacted by digital signage vulnerabilities.

2. Union Station digital sign displays graphic content

In May 2017, a digital sign at Union Station in Washington D.C. was accessed by hackers and used to stream pornographic content. Hackers timed their attack to take place during rush hour traffic so that the highest number of travelers was impacted by the content. While this event only lasted for about three minutes until the display was disabled, passengers were understandably shocked. Rather than blaming a physical attack on the hardware, representatives from the digital sign provider suspected that the hacker may have accessed the display via a “non-secured back door or OS vulnerability”.

3. A hack with a friendly warning in Liverpool

While this attack was far more benign than the Union Station attack, hackers were able to taunt their full control over the digital sign. In May 2017, hackers accessed an outdoor digital display at a shopping center in Liverpool. The display then showed the message “We suggest you improve your security. Sincerely, your friendly neighborhood hackers.” Shopping center administrators shut down the screen quickly after learning of the hack, however the hackers were certainly able to make themselves known. Professor Alan Woodward from the University of Surrey poignantly commented on this digital sign attack, stating “You might not think it matters, after all it’s just an advertising billboard, but who knows what else this system is linked to.”

4. Alabama digital billboard hack targets Florida senator Marco Rubio

In May 2016, in the midst of the heated 2016 U.S. elections, a digital billboard hack took aim at Florida senator Marco Rubio. This hack displayed a photoshopped image of Rubio as a shirtless attendee at a gay pride festival in Spain. The digital billboard hacker took to Twitter to advertise his successful attack and noted that the digital sign hack was the “easiest exploit in the history of exploits” and that “the amazing thing about this is the gaping hole in security that allowed it the first place.”

5. Ironman cyclists included in digital sign hack in North Carolina

Cyclists are likely one of the last groups you would expect to be the victim of a digital signage hack. However, in May 2018, cyclists competing in an Ironman triathlon received some special messages from the digital road sign hackers. On the hacked billboard digital signs, cyclists and pedestrians saw messages from the digital sign hackers such as “Expect delays. A–holes on bikes” and “Right lane closed due to idiots on bikes.” Of course, the North Carolina Department of Transportation released a statement that they nor their contractors created the messages.

Digital signage security at Screenly

One of Screenly’s founders, Viktor Petersson, recently published an article in RavePubs entitled “Why Are We Not Talking About Digital Signage Security?” This article discusses how security is often nothing more than an afterthought in the digital signage industry. This low prioritization of security makes digital signs vulnerable to the types of attacks discussed above. More consequentially, however, a company’s digital sign can provide hackers with a backdoor to the company’s entire IT infrastructure and private data. Such risks have motivated Screenly to invest heavily in the security behind our digital signage solutions. As part of Screenly’s dedication to security, we created our Screenly 2 Player on the Ubuntu Core operating system where each package needs to request permission when installed. You can read more on our blog post on the Ubuntu Core Screenly 2 Player.

We hope this article was interesting and perhaps even illuminating regarding the security risks associated with digital signage. In the best case scenario, digital signs are an easy target for hackers to quite visibly show off their talents. However, in the worst case scenario, digital signs can serve as the starting point for hackers to access your sensitive company data.